Menu
Our team is using AWS Lambda functions and API Gateway to facilitate connections to open banking API's within Europe. (PSD2).
Our Lambda's are written in NodeJS.
PSD2 requires Mutual TLS, which is fine and we have everything correctly implemented and working in a sandbox environment.
An example request would look something like this:
{
hostname: '[bank hostname]',
path: '[bank api endpoint]',
method: 'GET',
headers: {
accept: 'application/json',
signature: 'XXX',
date: 'XXX',
digest: 'XXX',
'x-request-id': 'XXX',
'tpp-signature-certificate': '[PATH_TO_CERTIFICATE]',
authorization: 'Bearer [accessToken]',
},
cert: fs.readFileSync('/var/task/certs/cert.crt'), // Buffer
key: fs.readFileSync('/var/task/certs/private.key'), // Buffer
}
The problem we currently have is that we are unsure where to securely store our certificates. For the time-being, we are just storing them in an assets folder in our codebase, this is not ideal and we would like to move them out of our codebase for obvious reasons.
We have been looking at AWS ACM. However it is not clear how we would retrieve a path to certificates (after uploading them) in order to use it in the request above.
So my question is how would we use AWS to securely store our certificates in such a way that we can use them in a HTTPS request?
707
February 9, 2022. S S. In a typical SSL transaction, the client that is connecting to a server over a secure connection checks the validity of the server. To do so, it checks the server's certificate before initiating the SSL transaction.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
You cannot retrieve certificates from ACM, in fact these are attached to AWS resources only such as CloudFront, ELBs and API Gateway.
To retrieve the contents there is a couple of solutions.
The first is to store this in a credential/secrets store, AWS provide this functionality in the secrets manager service. Additionally you can store a SecureString in the systems manager parameter store.
Alternatively you could use a third party solution such as HashiCorp Vault.
With this approach if you need the file to exist on disk you will need to store the output in the tmp file storage.
If these approaches do not work for you, you could make use of AWS EFS. A recent addition has added support to allow Lambdas to have a NFS mount attached to share storage.
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
